<html>
<head><meta charset="utf-8"><title>use of unsafe · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html">use of unsafe</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="154438613"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/154438613" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#154438613">(Jan 04 2019 at 21:29)</a>:</h4>
<p>Ropey just got released as 1.0 and I got <a href="https://www.reddit.com/r/rust/comments/accvq7/ropey_10_an_editable_text_buffer_for_rust/ed938tv/?context=3" target="_blank" title="https://www.reddit.com/r/rust/comments/accvq7/ropey_10_an_editable_text_buffer_for_rust/ed938tv/?context=3">an overview</a> of the use of unsafe code in it from the author. Haven't dug into the code yet, but this may be an interesting case for trying to exploit compiler optimizations without resorting to unsafe code.</p>



<a name="159797091"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/159797091" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> snf <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#159797091">(Mar 02 2019 at 13:30)</a>:</h4>
<p>Reviving this thread. Anyone made stats on how unsafe is used? I'm thinking in FFI, Sync/Send (or other traits) or others.</p>



<a name="159797218"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/159797218" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> snf <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#159797218">(Mar 02 2019 at 13:32)</a>:</h4>
<p>Afaik, <a href="https://github.com/anderejd/cargo-geiger" target="_blank" title="https://github.com/anderejd/cargo-geiger">https://github.com/anderejd/cargo-geiger</a> is the best tool for analyzing unsafe code but it's missing FFI in its classification. Probably because it doesn't matter as long as it is unsafe code</p>



<a name="159799059"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/159799059" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#159799059">(Mar 02 2019 at 14:13)</a>:</h4>
<p>I have seen a number of common patterns of unsafe code usage in binary format decoders. We've even got a clippy warning for a (precursor to) one of them. If I don't get around to replying today, poke me tomorrow and I'll elaborate.</p>



<a name="160792733"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160792733" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160792733">(Mar 14 2019 at 15:39)</a>:</h4>
<p>Today I saw this in the libflate crate</p>
<div class="codehilite"><pre><span></span>let mut buf = Vec::new();
    loop {
        let b = reader.read_u8()?;
        if b == 0 {
            return Ok(unsafe { CString::from_vec_unchecked(buf) });
        }
        buf.push(b);
    }
</pre></div>


<p>If you look closely you can see that this is actually safe, since there could be no NULL characters in between. I guess they probably did this for performance reasons, such that they don't have to check the whole Vec for intermediary NULL characters.</p>
<p>Now I am not a pro, but I think it should not be too hard to create a method for this. I wouldn't be surprised if this occurs more often.<br>
The options that pop up in my mind:</p>
<p>1. Implement Read::read_cstring() -&gt; CString            (this could be implemented by the trait itself, using Read::read() -&gt; u8)<br>
2. Implement CString::read&lt;T: impl Read&gt;(readable: T) -&gt; CString<br>
3. Add some utility methods to a crate like byteorder that could read from a Read trait.<br>
Forgive me the names of the functions, though, it's about the general idea :)</p>
<p>Curious to what you guys think!</p>



<a name="160808352"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160808352" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Daniel Carosone <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160808352">(Mar 14 2019 at 18:29)</a>:</h4>
<p>sounds good, but note that <code>read_u8</code>doesn't seem to be part of the <code>Read</code> trait either, must be elsewhere in that crate or its deps. If it weren't for that, I think Option 2 seems most appropriate</p>



<a name="160819714"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160819714" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160819714">(Mar 14 2019 at 20:34)</a>:</h4>
<p>I think this can be rewritten using <code>read_until()</code>: <a href="https://doc.rust-lang.org/std/io/trait.BufRead.html#method.read_until" target="_blank" title="https://doc.rust-lang.org/std/io/trait.BufRead.html#method.read_until">https://doc.rust-lang.org/std/io/trait.BufRead.html#method.read_until</a></p>



<a name="160819841"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160819841" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160819841">(Mar 14 2019 at 20:36)</a>:</h4>
<p>Could you provide some context for that code? It's strange to see a pure-Rust library use a <code>CString</code> at all.</p>



<a name="160820425"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160820425" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160820425">(Mar 14 2019 at 20:43)</a>:</h4>
<p>Not directly relevant, but I just wanted to jot down some notes while we're discussing libflate: <a href="https://github.com/sile/libflate/blob/74c2b8bd5072cd9ca676d5b92ee326e64a01827f/src/lz77/default.rs#L108-L117" target="_blank" title="https://github.com/sile/libflate/blob/74c2b8bd5072cd9ca676d5b92ee326e64a01827f/src/lz77/default.rs#L108-L117">https://github.com/sile/libflate/blob/74c2b8bd5072cd9ca676d5b92ee326e64a01827f/src/lz77/default.rs#L108-L117</a><br>
This function has caused trouble for the second time in a row. The function declaration is definitely wrong, the code as-is should be annotated <code>unsafe fn</code> because it doesn't validate that the length of the input is greater than 3.<br>
But we actually want that function to be safe, so we want to validate that. The cheap way to do it is either an assert at the beginning, or subslice it <code>[0..3]</code> and look up values from that. This creates only one bounds check.<br>
Since the function is marked <code>#[inline(always)]</code> rustc should elide the bounds check entirely where appropriate. The next step is to find if there are any hot loops which are using this function and check bounds for the entire loop just once, if possible. You can do that without explicit <code>unsafe</code> if you do the checks up front and the optimizer figures out that they can be elided in the loop.</p>



<a name="160823099"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160823099" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160823099">(Mar 14 2019 at 21:14)</a>:</h4>
<blockquote>
<p>sounds good, but note that <code>read_u8</code>doesn't seem to be part of the <code>Read</code> trait either, must be elsewhere in that crate or its deps. If it weren't for that, I think Option 2 seems most appropriate</p>
</blockquote>
<p>Ah my bad... I thought it provided such a method but apparently it does not..</p>



<a name="160824124"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160824124" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160824124">(Mar 14 2019 at 21:27)</a>:</h4>
<blockquote>
<p>I think this can be rewritten using <code>read_until()</code>: <a href="https://doc.rust-lang.org/std/io/trait.BufRead.html#method.read_until" target="_blank" title="https://doc.rust-lang.org/std/io/trait.BufRead.html#method.read_until">https://doc.rust-lang.org/std/io/trait.BufRead.html#method.read_until</a></p>
</blockquote>
<p>The code is from here!: <a href="https://github.com/sile/libflate/blob/a7cd7995458ace28ed388ba0d1374bfdc4b495e5/src/gzip.rs" target="_blank" title="https://github.com/sile/libflate/blob/a7cd7995458ace28ed388ba0d1374bfdc4b495e5/src/gzip.rs">https://github.com/sile/libflate/blob/a7cd7995458ace28ed388ba0d1374bfdc4b495e5/src/gzip.rs</a><br>
I see that they use the byteorder crate (with ReadBytesExt) to do the read_u8() call.</p>
<p>I must say read_until() looks promising, however when I smell my mustache I feel like something's not quite right. </p>
<p>Let's take for example libflate. I can image that someone wants their Decoder to be used with anything that implement Read right? Regardless of when it implements BufRead or not. I can imagine someone implementing some kind of  structure that implements Read but not BufRead, without having to perform expensive system calls. Or does this make no sense?  </p>
<p>I thought repeatedly reading a single byte with Read::read would be really slow, but I see that the byteorder ReadBytesExt::read_u8 does exactly this. Therefore we could technically create a Read::read_until method that uses Read::read without performance overhead (as long as the object implementing Read::read is efficient)</p>



<a name="160824481"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160824481" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160824481">(Mar 14 2019 at 21:30)</a>:</h4>
<blockquote>
<p>Not directly relevant, but I just wanted to jot down some notes while we're discussing libflate: <a href="https://github.com/sile/libflate/blob/74c2b8bd5072cd9ca676d5b92ee326e64a01827f/src/lz77/default.rs#L108-L117" target="_blank" title="https://github.com/sile/libflate/blob/74c2b8bd5072cd9ca676d5b92ee326e64a01827f/src/lz77/default.rs#L108-L117">https://github.com/sile/libflate/blob/74c2b8bd5072cd9ca676d5b92ee326e64a01827f/src/lz77/default.rs#L108-L117</a><br>
This function has caused trouble for the second time in a row. The function declaration is definitely wrong, the code as-is should be annotated <code>unsafe fn</code> because it doesn't validate that the length of the input is greater than 3.<br>
But we actually want that function to be safe, so we want to validate that. The cheap way to do it is either an assert at the beginning, or subslice it <code>[0..3]</code> and look up values from that. This creates only one bounds check.<br>
Since the function is marked <code>#[inline(always)]</code> rustc should elide the bounds check entirely where appropriate. The next step is to find if there are any hot loops which are using this function and check bounds for the entire loop just once, if possible. You can do that without explicit <code>unsafe</code> if you do the checks up front and the optimizer figures out that they can be elided in the loop.</p>
</blockquote>
<p>As for this!: I saw this as well! It looked like it could easily go wrong if the slice is not exactly 3 bytes. I am not sure however how easy that is to happen. Personally I kind of feel like a single bound check should not degrade performance by that much and I'd rather have safe code then something that squeezes out a few extra micro/milliseconds. I will at least take a look at this! Hopefully I have some time tomorrow!</p>



<a name="160824522"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160824522" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160824522">(Mar 14 2019 at 21:31)</a>:</h4>
<p>I think the better question to ask would be why does it use <code>CString</code> at all. It's not the read part that's unsafe, it's the CString part.</p>



<a name="160824686"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160824686" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160824686">(Mar 14 2019 at 21:33)</a>:</h4>
<p>Build a benchmark with Criterion and you'll know instead of guessing: <a href="https://bheisler.github.io/criterion.rs/book/index.html" target="_blank" title="https://bheisler.github.io/criterion.rs/book/index.html">https://bheisler.github.io/criterion.rs/book/index.html</a><br>
I'm pretty sure I've already made one for <code>inflate</code> crate, so you can mostly reuse that for <code>libflate</code>: <a href="https://github.com/Shnatsel/inflate/tree/benchmarking" target="_blank" title="https://github.com/Shnatsel/inflate/tree/benchmarking">https://github.com/Shnatsel/inflate/tree/benchmarking</a><br>
Bonus points for contributing it upstream.</p>



<a name="160825569"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160825569" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160825569">(Mar 14 2019 at 21:43)</a>:</h4>
<blockquote>
<p>I think the better question to ask would be why does it use <code>CString</code> at all. It's not the read part that's unsafe, it's the CString part.</p>
</blockquote>
<p>I figured out that it's used for reading the GZIP header which stores the filename and potential comments as a null-terminated String. It seems like the unsafe function is used for both the filename and the comment field.</p>



<a name="160825898"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160825898" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160825898">(Mar 14 2019 at 21:47)</a>:</h4>
<p>Any reason why a plain old Vec doesn't cut it?</p>



<a name="160825907"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160825907" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160825907">(Mar 14 2019 at 21:47)</a>:</h4>
<blockquote>
<p>I think the better question to ask would be why does it use <code>CString</code> at all. It's not the read part that's unsafe, it's the CString part.</p>
</blockquote>
<p>Mmm I agree that the function call of CString is what makes it unsafe, but wouldn't you say that there should be a safe method for reading a CString without having to do loop over a buffer twice? Like reading and constructing a CString such that one can safely construct a CString while knowing that there are no null characters in between? I wouldn't be surprised if other projects would use the unchecked version as well just for performance reasons, while shouldn't be strictly necessary I think :)</p>



<a name="160826048"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826048" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826048">(Mar 14 2019 at 21:49)</a>:</h4>
<p>Wait... I suddenly feel like I am beginning to understand things haha :)</p>
<p>We can probably just replace the loop and fill the buffer without the null character and then convert it to a String or str somehow right?</p>



<a name="160826131"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826131" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826131">(Mar 14 2019 at 21:50)</a>:</h4>
<p>String or &amp;str must be valid UTF-8, these are just bytes. It should be a vector.</p>



<a name="160826190"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826190" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826190">(Mar 14 2019 at 21:50)</a>:</h4>
<blockquote>
<p>String or &amp;str must be valid UTF-8, these are just bytes. It should be a vector.</p>
</blockquote>
<p>That sounds good. I see that they also have calls like: get_filename and get_comment. Do you think these should return Vectors as well?</p>



<a name="160826203"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826203" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826203">(Mar 14 2019 at 21:51)</a>:</h4>
<p>Unless the function is passing the CString to some C code, the same guarantee (that the sequence is null-terminated) can be achieved by introducing a NullTerminatedVec newtype, with constructor that accepts a Vec and implements Deref into Vec</p>



<a name="160826236"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826236" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826236">(Mar 14 2019 at 21:51)</a>:</h4>
<p>If they have <code>CString</code> in the public API, you're probably stuck with them though</p>



<a name="160826349"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826349" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826349">(Mar 14 2019 at 21:52)</a>:</h4>
<p>Well, you could convert them into slices I guess</p>



<a name="160826375"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826375" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826375">(Mar 14 2019 at 21:52)</a>:</h4>
<p>They do have this kind of code:</p>
<div class="codehilite"><pre><span></span>/// Returns the file name.
    pub fn filename(&amp;self) -&gt; Option&lt;&amp;CString&gt; {
        self.filename.as_ref()
    }

    /// Returns the comment.
    pub fn comment(&amp;self) -&gt; Option&lt;&amp;CString&gt; {
        self.comment.as_ref()
    }
</pre></div>


<p>but they do not pass it anywhere to C code.</p>



<a name="160826400"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826400" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826400">(Mar 14 2019 at 21:53)</a>:</h4>
<p>So I guess we're stuck then?</p>



<a name="160826425"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826425" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> snf <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826425">(Mar 14 2019 at 21:53)</a>:</h4>
<p>It's probably to return the information as it is in the file</p>



<a name="160826432"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826432" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826432">(Mar 14 2019 at 21:53)</a>:</h4>
<p>Actually, could Vector maybe implement <code>.into(CString)</code>?</p>



<a name="160826453"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826453" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826453">(Mar 14 2019 at 21:54)</a>:</h4>
<p>Not slice, but vector</p>



<a name="160826509"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826509" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826509">(Mar 14 2019 at 21:54)</a>:</h4>
<p>That could be implemented safely and efficiently</p>



<a name="160826526"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826526" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> snf <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826526">(Mar 14 2019 at 21:54)</a>:</h4>
<p>I think there ir CString::from(Vec&lt;u8&gt;), it will probably require iterating it though</p>



<a name="160826528"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826528" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826528">(Mar 14 2019 at 21:54)</a>:</h4>
<p>How could it be done efficiently? It'd need a linear scan right?</p>



<a name="160826530"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826530" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826530">(Mar 14 2019 at 21:54)</a>:</h4>
<p>That would probably work, however I guess that would require checking if there are any null terminated characters in the content as well.</p>



<a name="160826580"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826580" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826580">(Mar 14 2019 at 21:55)</a>:</h4>
<p><code>CString::new</code> uses <code>memchr</code>, so it's probably pretty fast, though obviously still O(n)</p>



<a name="160826670"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826670" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826670">(Mar 14 2019 at 21:56)</a>:</h4>
<p>The thing is this I guess:</p>
<p>CString supports a safe way to read the CString namely CString::new. But that method checks the whole buffer again for intermediary null characters. So for performance reasons CString::from_vec_unchecked is used. If we would do a Vec to CString I guess in order to be safe we would also have to perform the check again right? Or am I wrong about this?</p>



<a name="160826692"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826692" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826692">(Mar 14 2019 at 21:57)</a>:</h4>
<p>I think you're right -- we really need a <code>CString::from_reader</code> or something like that</p>



<a name="160826720"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826720" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826720">(Mar 14 2019 at 21:57)</a>:</h4>
<blockquote>
<p>I think you're right -- we really need a <code>CString::from_reader</code> or something like that</p>
</blockquote>
<p>I personally think this would solve many problems as well. You don't have to sacrifice performance and it would still be safe.</p>



<a name="160826837"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826837" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826837">(Mar 14 2019 at 21:59)</a>:</h4>
<p>Yeah <code>CString::from_reader</code> sounds like a good idea. However, CString in public API still sounds like a really bad idea.</p>



<a name="160826918"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826918" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826918">(Mar 14 2019 at 22:00)</a>:</h4>
<p>Yeah, that also seems like a mistake</p>



<a name="160826971"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160826971" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160826971">(Mar 14 2019 at 22:01)</a>:</h4>
<p>I guess we all agree on that! :) If you guys would like it I can create an issue and submit a pull request?</p>



<a name="160827025"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160827025" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160827025">(Mar 14 2019 at 22:02)</a>:</h4>
<p>Adding <code>CString::from_reader</code> or changing libflate API?</p>



<a name="160827074"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160827074" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160827074">(Mar 14 2019 at 22:03)</a>:</h4>
<p>First adding CString::from_reader and then changing libflate as well! It will probably take a while till the CString PR would get through, so I could look at other problems with libflate as well.</p>



<a name="160827235"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160827235" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160827235">(Mar 14 2019 at 22:05)</a>:</h4>
<p>Or do you think I am running too fast with this?</p>



<a name="160827572"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160827572" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160827572">(Mar 14 2019 at 22:10)</a>:</h4>
<p>Nah, go right ahead! I think prototyping it locally would be a good start, then you can create an RFC describing the behavior and a PR against standard library.</p>



<a name="160827602"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160827602" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160827602">(Mar 14 2019 at 22:10)</a>:</h4>
<p>I think just adding a single new method to <code>CString</code> wouldn't require an RFC, but I'm not positive.</p>



<a name="160827625"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160827625" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160827625">(Mar 14 2019 at 22:11)</a>:</h4>
<p>Start with a PR and they'll tell you if an RFC is needed or not :)</p>



<a name="160827661"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160827661" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160827661">(Mar 14 2019 at 22:11)</a>:</h4>
<p>Also we should start collecting info on the patterns we find that are missing. I have put a lot of work into one back in the day, along with a proposal to fix it, although my implementation turned out to be too fragile for my liking: <a href="https://internals.rust-lang.org/t/pre-rfc-fixed-capacity-view-of-vec/8413/1" target="_blank" title="https://internals.rust-lang.org/t/pre-rfc-fixed-capacity-view-of-vec/8413/1">https://internals.rust-lang.org/t/pre-rfc-fixed-capacity-view-of-vec/8413/1</a></p>



<a name="160827776"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160827776" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160827776">(Mar 14 2019 at 22:13)</a>:</h4>
<p><span class="user-mention" data-user-id="130046">@Alex Gaynor</span> Unstable methods, especially on non-traits, definitely don't need RFCs for the most part</p>



<a name="160827793"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160827793" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160827793">(Mar 14 2019 at 22:13)</a>:</h4>
<p>OTOH, stabilizing one might -- depending on the amount of thorny questions around the API. Probably not though.</p>



<a name="160827986"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160827986" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160827986">(Mar 14 2019 at 22:16)</a>:</h4>
<p>I will first make a small draft of the function tomorrow and share it with you guys, so you can review it first. Since I am not a very experienced Rust programmer that might be the best option! I'll go catch some sleep now and I'll tune in tomorrow again! Thanks for the nice discussion (Y)!</p>



<a name="160828047"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160828047" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160828047">(Mar 14 2019 at 22:17)</a>:</h4>
<p>Is there anything we want to cover other than <code>BufReader</code> types? That would make implementation trivial, and would cover most use cases since <code>Cursor</code> implements <code>BufReader</code> and if you're doing external I/O you probably want to wrap that in a BufReader as well.</p>



<a name="160828151"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160828151" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160828151">(Mar 14 2019 at 22:18)</a>:</h4>
<p>OTOH I'm not sure how that meshes with the <code>byteorder</code> use case, which might be a deal-breaker</p>



<a name="160828478"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160828478" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160828478">(Mar 14 2019 at 22:24)</a>:</h4>
<p>Perhaps Byteorder could expose a <code>u8_reader</code> that implements BufReader if the underlying reader does as well</p>



<a name="160871318"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160871318" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160871318">(Mar 15 2019 at 12:52)</a>:</h4>
<p>Alright guys! I made my initial version: </p>
<div class="codehilite"><pre><span></span>pub fn CString::from_reader(mut reader: impl Read) -&gt; Result&lt;CString, std::io::Error&gt;
{
    let mut buffer = Vec::new();
    loop {
        // Read a single byte, same way as byteorder::read_u8 does it (using std::slice however).
        // If the specific implementation of Read::read is buffered and inlined
        // I am quite sure this can be optimized well.
        let mut character: u8 = 0;
        let slice = std::slice::from_mut(&amp;mut character);
        reader.read_exact(slice)?;

        // Push a new character.
        buffer.push(character);

        // Check if a null character has been found, if so return the Vec as CString.
        if character == 0 {
            return Ok(CString { inner: buffer.into_boxed_slice() });
        }
    }
}
</pre></div>


<p>Here is a playground version of it but since I cannot construct CString directly I modified the code slightly for it to work (moving the buffer line and replacing it with from_vec_unchecked). But the general idea is the same.</p>
<p>Playground version: <a href="https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2018&amp;gist=59f4f97198d6d5a3310064770be2f4e1" target="_blank" title="https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2018&amp;gist=59f4f97198d6d5a3310064770be2f4e1">https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2018&amp;gist=59f4f97198d6d5a3310064770be2f4e1</a></p>



<a name="160871515"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160871515" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160871515">(Mar 15 2019 at 12:55)</a>:</h4>
<p>Let me know what you guys think! </p>
<p>The only thing that kind of itches me is the initial capacity of a Vec. It feels like it would be a bit of a shame if Vec has to allocate multiple times because the to-be-read string is longer then expected. I am not sure if it would be overkill, but maybe we should create another method that allows a user to specify the default capacity?</p>



<a name="160903960"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160903960" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160903960">(Mar 15 2019 at 19:05)</a>:</h4>
<p>So another idea occurred to me; should <code>CString</code> support a safe <code>from</code> method that takes <code>Vec&lt;NonZeroU8&gt;</code>? Because it's <code>repr(transparent)</code> I think you can cheat and convert it into a <code>&amp;[u8]</code> with some magic <code>unsafe</code>.</p>



<a name="160908636"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160908636" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160908636">(Mar 15 2019 at 20:00)</a>:</h4>
<p>Why not <code>unsafe {CString::from_vec_unchecked(buffer)}</code>? That sounds like the obvious thing from performance standpoint. People will just roll their own version of this if the stdlib function doesn't work like that.</p>



<a name="160908680"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160908680" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160908680">(Mar 15 2019 at 20:00)</a>:</h4>
<p>Why not what? That's what people seem to be doing now, the question was how do we reduce the need to write <code>unsafe</code>?</p>



<a name="160908826"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160908826" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160908826">(Mar 15 2019 at 20:02)</a>:</h4>
<p>Oh, I meant to ask why is that not in the function code posted above. My thinking was that we write the function with that unsafe block once and expose a safe interface, and everybody else can use it to get speed without rolling their own <code>unsafe</code>.</p>



<a name="160918065"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160918065" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160918065">(Mar 15 2019 at 22:17)</a>:</h4>
<p>Oh, sure, that works. My suggestion about something taking <code>Vec&lt;NonZeroU8&gt;</code> was mostly because that has the interesting property that it can be safe and fast.</p>



<a name="160921037"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160921037" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160921037">(Mar 15 2019 at 23:08)</a>:</h4>
<p>About the unsafe CString::from_vec_unchecked!: I guess it is because it uses reserve_exact right? Otherwise the code is exactly identical. But I agree that might be better! We would introduce calling an unsafe method to the from_reader method, but in terms of behavior it would be just as unsafe as constructing it directly. If the from_vec_unchecked call is inlined we have the same (optimal) performance!</p>
<p>Are there any other things you'd suggest me to change? Otherwise I can open a PR for this! I wonder however about the procedure. Should I first create an issue on the Rust repo for this? Or can I directly make a pull request?</p>



<a name="160921144"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160921144" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160921144">(Mar 15 2019 at 23:10)</a>:</h4>
<p>you can send a PR without an issue</p>



<a name="160921317"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160921317" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160921317">(Mar 15 2019 at 23:13)</a>:</h4>
<p>Okay thanks for that info! It's already 0:12 here, so I will create one and link it back here tomorrow.</p>



<a name="160921318"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160921318" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160921318">(Mar 15 2019 at 23:13)</a>:</h4>
<p>Good night guys :)</p>



<a name="160921643"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160921643" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160921643">(Mar 15 2019 at 23:19)</a>:</h4>
<p>And btw Alex! I think its a cool idea! However I was wondering: How can one construct a Vec&lt;NonZeroU8&gt; safely without suffering the performance check of having to check if it is non-zero? Or do you think the compiler can optimise this? I could check if it does tomorrow if you're not sure</p>



<a name="160933294"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160933294" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160933294">(Mar 16 2019 at 04:06)</a>:</h4>
<p>Check where? In the sample from libflate, you're already checking if each byte is 0, this would simply change that check into constructing a new <code>NonZeroU8</code></p>



<a name="160941752"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160941752" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160941752">(Mar 16 2019 at 08:21)</a>:</h4>
<p>Ahhh in that sense! I think that would be a great approach as well! What about implementing the From&lt;Vec&lt;NonZeroU8&gt;&gt; for CString? That way we can consume the buffer and use it for the CString.</p>



<a name="160941863"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160941863" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160941863">(Mar 16 2019 at 08:25)</a>:</h4>
<p>Maybe that is even better actually. I always felt like CString::from_reader is a bit akward... I think using the From trait would introduce less clutter but it would mean that people have to code reading byte by byte just as I did before themselves, but I that doesn't have to be a problem perse.</p>



<a name="160945170"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160945170" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160945170">(Mar 16 2019 at 10:07)</a>:</h4>
<p>Alright, I guess we have two methods of doing this right now:</p>
<p><strong>Method 1: Using CString::from_reader</strong><br>
<a href="https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2018&amp;gist=49cecd94f4cc0e1c09dc83deca5c91ee" target="_blank" title="https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2018&amp;gist=49cecd94f4cc0e1c09dc83deca5c91ee">https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2018&amp;gist=49cecd94f4cc0e1c09dc83deca5c91ee</a></p>
<ul>
<li>Ease of use: People only require one line of code to get what they want, namely CString::from_reader<br>
-/+ Flexibility: Can only be used on items that implement Read. On the other hand: &amp;[u8] implements Read so in some sense it is quite flexible I guess?</li>
</ul>
<p><strong>Method 2: Using From&lt;Vec&lt;NonZeroU8&gt;&gt;</strong><br>
<a href="https://play.rust-lang.org/?version=stable&amp;mode=release&amp;edition=2018&amp;gist=3a4a90b19e7e7d3fdd80f9f1f48edeb9" target="_blank" title="https://play.rust-lang.org/?version=stable&amp;mode=release&amp;edition=2018&amp;gist=3a4a90b19e7e7d3fdd80f9f1f48edeb9">https://play.rust-lang.org/?version=stable&amp;mode=release&amp;edition=2018&amp;gist=3a4a90b19e7e7d3fdd80f9f1f48edeb9</a></p>
<ul>
<li>Ease of use: People are required to manually read bytes into a Vec&lt;NonZeroU8&gt;</li>
<li>Flexibility: Everything that can be converted to Vec&lt;NonZeroU8&gt; can be converted to a CString, not only objects that implement Read.</li>
</ul>
<p>Additional Question: Maybe we should provide both methods?</p>
<p>Personally I feel like the second option just feels more right... The only thing I am worried about is that people find it too complex and will use do something unsafe because they have no knowledge on how to do it right.</p>



<a name="160946120"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/160946120" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#160946120">(Mar 16 2019 at 10:35)</a>:</h4>
<p>I decided to create an issue: <a href="https://github.com/rust-lang/rust/issues/59229" target="_blank" title="https://github.com/rust-lang/rust/issues/59229">https://github.com/rust-lang/rust/issues/59229</a> such that we can continue the discussion there. I am also wondering if there are other people of the Rust community that have any solutions on their minds. To be really honest, I think implementing both methods we have come up with so far does not sound so bad.</p>



<a name="161117195"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/161117195" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Daniel Carosone <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#161117195">(Mar 19 2019 at 03:22)</a>:</h4>
<p><code>NonZeroU8</code> seems like a great way to arrange for the null check to happen once, and to communicate safely using types that it's already happened</p>



<a name="161117274"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/161117274" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Daniel Carosone <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#161117274">(Mar 19 2019 at 03:24)</a>:</h4>
<p><em>but</em> it won't carry the NULL terminator, so some copying is needed to get a contiguous 0u8 on the end in the CString's storage.</p>



<a name="161117318"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/161117318" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#161117318">(Mar 19 2019 at 03:25)</a>:</h4>
<p>You don't need to copy, since you're passing ownership of the <code>Vec</code> to <code>CString</code> you can just append to it -- after stealing the storage and converting it to a <code>Vec&lt;u8&gt;</code> of course.</p>



<a name="161117366"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/161117366" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Daniel Carosone <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#161117366">(Mar 19 2019 at 03:26)</a>:</h4>
<p>yeah, so long as the Vec has capacity +1</p>



<a name="161124686"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/161124686" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#161124686">(Mar 19 2019 at 06:28)</a>:</h4>
<p>I will implement the CString::from_reader function tomorrow hopefully!</p>



<a name="161124696"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/161124696" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#161124696">(Mar 19 2019 at 06:28)</a>:</h4>
<p>We can probably do the From&lt;NonZeroU8&gt; conversion in a separate PR</p>



<a name="161253393"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/161253393" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#161253393">(Mar 20 2019 at 14:41)</a>:</h4>
<p>The pull request for CString::from_reader is here!: <a href="https://github.com/rust-lang/rust/pull/59314" target="_blank" title="https://github.com/rust-lang/rust/pull/59314">https://github.com/rust-lang/rust/pull/59314</a></p>



<a name="161253405"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/161253405" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#161253405">(Mar 20 2019 at 14:41)</a>:</h4>
<p>If you have any comments, please let me know!</p>



<a name="162113561"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/162113561" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#162113561">(Mar 30 2019 at 09:33)</a>:</h4>
<p>I was reading through some old T-Doc issues and I found this one:<br>
<a href="https://github.com/rust-lang/rust/issues/54542" target="_blank" title="https://github.com/rust-lang/rust/issues/54542">https://github.com/rust-lang/rust/issues/54542</a></p>
<p>Maybe we can try to create an abstraction for this?</p>



<a name="171334776"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/171334776" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#171334776">(Jul 20 2019 at 17:04)</a>:</h4>
<p>not sure where else to ask this or who might know (perhaps <span class="user-mention" data-user-id="120791">@RalfJ</span> ) but I'm wondering if there's a safe way to do <code>AsRef</code>-style reference conversions for wrapper newtypes for other references now, possibly with something like <code>#[repr(transparent)]</code></p>



<a name="171334792"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/171334792" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#171334792">(Jul 20 2019 at 17:05)</a>:</h4>
<p>the use case is something like <code>std::path::Path</code> (but my own custom path type for different purposes), where I also have an owned <code>PathBuf</code> type, want for it to be able to impl <code>AsRef&lt;Path&gt;</code>, and then use <code>AsRef&lt;Path&gt;</code> as a bound so you can interchangeably pass either a <code>&amp;PathBuf</code> or a <code>&amp;Path</code></p>



<a name="171334838"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/171334838" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#171334838">(Jul 20 2019 at 17:06)</a>:</h4>
<p>and how to <code>impl AsRef&lt;Path&gt; for PathBuf</code> without using <code>unsafe</code></p>



<a name="171334841"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/171334841" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#171334841">(Jul 20 2019 at 17:06)</a>:</h4>
<p>I believe <code>std</code> uses <code>transmute</code> <span aria-label="grimacing" class="emoji emoji-1f62c" role="img" title="grimacing">:grimacing:</span></p>



<a name="171334918"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/171334918" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> HeroicKatora <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#171334918">(Jul 20 2019 at 17:09)</a>:</h4>
<p>Related discussion on special (safe) syntax for <code>#[repr(transparent)]</code> reference conversion on internals: <a href="https://internals.rust-lang.org/t/pre-rfc-patterns-allowing-transparent-wrapper-types/10229" target="_blank" title="https://internals.rust-lang.org/t/pre-rfc-patterns-allowing-transparent-wrapper-types/10229">https://internals.rust-lang.org/t/pre-rfc-patterns-allowing-transparent-wrapper-types/10229</a></p>



<a name="171334925"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/171334925" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#171334925">(Jul 20 2019 at 17:10)</a>:</h4>
<p><span class="user-mention" data-user-id="229913">@Andreas Molzer</span> exactly what I'm looking for! thank you</p>



<a name="171335242"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/171335242" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#171335242">(Jul 20 2019 at 17:19)</a>:</h4>
<p>HeroicKatora? I know this guy, he took over maintenance of <code>png</code>, <code>inflate</code> and a bunch of other formerly Piston projects, and getting safety fixed merged got way easier since. Always very helpful on PRs. Kudos to that guy.</p>



<a name="171335702"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/171335702" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#171335702">(Jul 20 2019 at 17:33)</a>:</h4>
<p>would love to see something like this. in the meantime I'm using <code>Into</code> instead of <code>AsRef</code> as the bound, in order to create an owned wrapper rather than a reference. that mostly works except I'd love to have my <code>PathBuf</code> also impl <code>Deref&lt;Target=Path&gt;</code> but that's not possible without a reference conversion <span aria-label="cry" class="emoji emoji-1f622" role="img" title="cry">:cry:</span></p>



<a name="171335745"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/171335745" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#171335745">(Jul 20 2019 at 17:34)</a>:</h4>
<p>and in absence of being able to impl <code>Deref</code> I'm instead writing wrapper functions on <code>PathBuf</code> that delegate to <code>Path</code></p>



<a name="171335751"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/171335751" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#171335751">(Jul 20 2019 at 17:35)</a>:</h4>
<p>I imagine if this sort of feature lands, there's all sorts of places in <code>std</code> that could use it too...</p>



<a name="171338733"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/171338733" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#171338733">(Jul 20 2019 at 19:05)</a>:</h4>
<p>so the question is how to do this without writing <code>unsafe</code>? Sorry, I don't know. :/</p>



<a name="171338843"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/171338843" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#171338843">(Jul 20 2019 at 19:09)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> yes, exactly. the pre-RFC <span class="user-mention" data-user-id="229913">@Andreas Molzer</span> linked has a suggested casting syntax</p>



<a name="171338844"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/171338844" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#171338844">(Jul 20 2019 at 19:09)</a>:</h4>
<p>which would do exactly what I want</p>



<a name="171338891"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/171338891" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#171338891">(Jul 20 2019 at 19:10)</a>:</h4>
<p>I just want to cast the inner <code>&amp;'a T</code> into a <code>&amp;'a MyNewtype</code> which is a <code>#[repr(transparent)]</code> 1-tuple newtype for <code>&amp;'a T</code></p>



<a name="173997715"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/173997715" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Nick12 <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#173997715">(Aug 23 2019 at 19:52)</a>:</h4>
<p>Is there a way to assert/static_assert that a type is transparent?<br>
I feel like if there was, a simple macro could probably do this</p>



<a name="174260234"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/use%20of%20unsafe/near/174260234" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/use.20of.20unsafe.html#174260234">(Aug 27 2019 at 19:08)</a>:</h4>
<p><span class="user-mention" data-user-id="219940">@Nick12</span> try asking in #black_magic in Rust Community Discord</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>